Cisco CSACSE-1111-K9 - Secure Access Control Server Solution Engine, Secure ACS Solution Engine 4.1 Installation Manual

Installation Guide for Cisco Secure ACS
Solution Engine 4.1

Version 4.1
License and Warranty
April 2007

Corporate Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Text Part Number: OL-9969-03

CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick
Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified
Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ
Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Pac ket , PIX, Post-Routing, Pre-Routing,
ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO
are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0501R)

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:

• Turn the television or radio antenna until the interference stops.

• Move the equipment to one side or the other of the television or radio.

• Move the equipment farther away from the television or radio.

• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IMPLIED, INCLUDING, WITHOUT

Installation Guide for Cisco Secure ACS Solution Engine 4.1

© 2003–2007 Cisco Systems, Inc. All rights reserved

Preface ix

Audience ix

Organization ix

Conventions ix

Warning Definition x

Documentation Updates 1-xiv

Product Documentation xv

Related Documentation xvi

Obtaining Documentation xvi

Cisco.com xvi
Product Documentation DVD xvi
Ordering Documentation xvii

CONTENTS

CHAPTER

Documentation Feedback xvii

Cisco Product Security Overview xvii

Reporting Security Problems in Cisco Products xvii

Product Alerts and Field Notices xviii

Obtaining Technical Assistance xviii

Cisco Technical Support & Documentation Website xviii
Submitting a Service Request xix
Definitions of Service Request Severity xx

Obtaining Additional Publications and Information xx

Cisco 90-Day Limited Hardware Warranty Terms xxiii

1 Cisco Secure ACS Solution Engine Overview 1-1

System Description 1-1

ACS SE Hardware Description 1-2

Serial Port 1-2
Solution Engine Specifications for the Cisco 1113 1-3
Front Panel Features for the Cisco 1113 1-3
Back Panel Features for the Cisco 1113 1-5

Serial Port 1-6

Ethernet Connectors 1-7

Network Cable Requirements 1-7

78-xxxxx-xx

Book Title

iii

Contents

CHAPTER

2 Preparing for Installation 2-1

Safety 2-1

Warnings and Cautions 2-1
General Precautions 2-4
Maintaining Safety with Electricity 2-4
Protecting Against Electrostatic Discharge 2-5
Preventing EMI 2-5

Preparing Your Site for Installation 2-6

Environmental 2-6

Choosing a Site for Installation 2-6
Grounding the System 2-6

Creating a Safe Environment 2-7
AC Power 2-7
Cabling 2-7

Precautions for Rack-Mounting 2-8

Precautions for Products with Modems, Telecommunications, or Local Area Network Options 2-8

Required Tools and Equipment 2-9

CHAPTER

CHAPTER

3 Installing and Configuring Cisco Secure ACS Solution Engine 4.1 3-1

Installation Quick Reference 3-1

Installing the Cisco 1113 in a Rack 3-2

Attaching the Chassis Rail Mount 3-3
Attaching the Server Rail 3-6
Sliding Chassis On the Rack 3-8

Connecting to the AC Power Source 3-9

Connecting Cables 3-10

Initial Configuration 3-10

Establishing a Serial Console Connection 3-10
Configuring ACS SE 3-11
Verifying the Initial Configuration 3-15
Setting Up a GUI Administrator Account 3-16
Next Steps 3-17

4 Administering Cisco Secure ACS Solution Engine 4-1

Basic Command Line Administration Tasks 4-1

Logging In to the Solution Engine From a Serial Console 4-2
Shutting Down the Solution Engine From a Serial Console 4-2
Logging Off the Solution Engine From a Serial Console 4-3

Book Title

iv

78-xxxxx-xx

Rebooting the Solution Engine From a Serial Console 4-3
Determining the Status of Solution Engine System and Services From a Serial Console 4-3
Tracing Routes 4-4
Stopping Solution Engine Services From a Serial Console 4-4
Starting Solution Engine Services From a Serial Console 4-5
Restarting Solution Engine Services From a Serial Console 4-6
Getting Command Help From the Serial Console 4-7

Working with System Data 4-8

Obtaining Support Logs From the Serial Console 4-9
Exporting Logs 4-10
Exporting a List of Groups 4-11
Exporting a List of Users 4-12
Backing Up ACS Data From the Serial Console 4-12
Restoring ACS Data From the Serial Console 4-14

Reconfiguring Solution Engine System Parameters 4-15

Resetting the Solution Engine Administrator Password 4-15
Resetting the Solution Engine CLI Administrator Name 4-16
Setting the GUI Administrator Logon and Password 4-17
Resetting the Solution Engine Database Password 4-18
Reconfiguring the Solution Engine IP Address 4-18
Setting the System Time and Date Manually 4-20
Setting the System Time and Date with NTP 4-20
Setting the System Timeout 4-21
Setting the Solution Engine System Domain 4-22
Setting the Solution Engine System Hostname 4-22

Contents

Patch Rollback 4-23

Removing Installed Patches 4-23
Understanding the CSAgent Patch 4-23

Recovery Management 4-24

Recovering from Loss of Administrator Credentials 4-24
Re-imaging the Solution Engine Hard Drive 4-25

CHAPTER

5 Upgrading and Migrating to Cisco Secure ACS Solution Engine 4.1 5-1

Upgrade Scenarios 5-1

Migration Scenarios 5-2

Upgrade Paths 5-2

Upgrade Procedure 5-4

Performing a Full Upgrade From ACS SE 4.0.1 to ACS SE 4.1 5-4
Performing a Full Upgrade from ACS SE 3.3.3 to ACS SE 4.1 5-8

78-xxxxx-xx

Book Title

v

Contents

Migrating from ACS for Windows to ACS SE 5-13

Migrating ACS SE on the ACS 1111 or ACS 1112 Platform to ACS SE 4.1 on the Cisco 1113 Platform 5-15

APPENDIX

APPENDIX

APPENDIX

A Technical Specifications for the Cisco 1113 A-1

B Windows Service Advisement B-1

Services That are Run B-1

Services That Are Not Run B-2

C Command Reference C-1

CLI Conventions C-1

Command Privileges C-1

Checking Command Syntax C-2

System Help C-2

Command Description Conventions C-3

Commands C-3

add guiadmin C-3
backup C-3
download C-4
exit C-4
exportgroups C-5
exportlogs C-5
exportusers C-6
help C-6
ntpsync C-7
lock guiadmin C-7
ping C-7
reboot C-9
restart C-9
restore C-10
rollback C-11
set admin C-11
set dbpassword C-11
set domain C-12
set hostname C-12
set ip C-12
set password C-13
set time C-13

Book Title

vi

78-xxxxx-xx

set timeout C-14
show C-14
shutdown C-14
start C-15
stop C-15
support C-16
tracert C-16
unlock guiadmin C-18
upgrade C-18

Contents

78-xxxxx-xx

Book Title

vii

Contents

Book Title

viii

78-xxxxx-xx

Audience

Preface

This guide describes how to install and initially configure the Cisco Secure ACS Solution Engine (ACS
SE), and includes upgrade and migration information for the Cisco 1111, Cisco 1112, and Cisco 1113
platforms. It also details administrative functions that you can perform from the command line interface.
This guide covers the CSACSE-1113-K9 hardware platform for the Cisco Secure ACS SE—also referred
to as the Cisco 1113 version.

This guide is intended for system administrators who install and configure internetworking equipment
and are familiar with Cisco IOS software.

Warning

Only trained and qualified personnel should install, replace, or service this equipment.

Organization

This guide contains:

• Preface

• Chapter 1, “Cisco Secure ACS Solution Engine Overview”

• Chapter 2, “Preparing for Installation”

• Chapter 3, “Installing and Configuring Cisco Secure ACS Solution Engine 4.1”

• Chapter 4, “Administering Cisco Secure ACS Solution Engine”

• Chapter 5, “Upgrading and Migrating to Cisco Secure ACS Solution Engine 4.1”

• Appendix A, “Technical Specifications for the Cisco 1113”

• Appendix B, “Windows Service Advisement”

• Appendix C, “Command Reference”

Conventions

This document uses the following conventions:

Item Convention

Commands and keywords boldface font

Variables for which you supply values italic font

Displayed session and system information

OL-9969-03

screen font

Installation Guide for Cisco Secure ACS Solution Engine 4.1

ix

Contents

Item Convention

Information you enter

Variables you enter

Menu items and button names boldface font

Selecting a menu item Option > Network Preferences

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the

publication.

Caution Means reader be careful. In this situation, you might do something that could result in equipment

damage or loss of data.

Warning Definition

boldface screen font

italic screen font

Warning

Waarschuwing

IMPORTANT SAFETY INSTRUCTIONS

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar
with standard practices for preventing accidents. To see translations of the warnings that appear in
this publication, refer to the translated safety warnings that accompanied this device.

Note: SAVE THESE INSTRUCTIONS

Note: This documentation is to be used in conjunction with the specific product installation guide
that shipped with the product. Please refer to the Installation Guide, Configuration Guide, or other
enclosed additional documentation for further details.

BELANGRIJKE VEILIGHEIDSINSTRUCTIES

Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan
veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij
elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van de standaard
praktijken om ongelukken te voorkomen. Voor een vertaling van de waarschuwingen die in deze
publicatie verschijnen, dient u de vertaalde veiligheidswaarschuwingen te raadplegen die bij dit
apparaat worden geleverd.

Opmerking BEWAAR DEZE INSTRUCTIES.

Opmerking Deze documentatie dient gebruikt te worden in combinatie met de
installatiehandleiding voor het specifieke product die bij het product wordt geleverd. Raadpleeg de
installatiehandleiding, configuratiehandleiding of andere verdere ingesloten documentatie voor
meer informatie.

Installation Guide for Cisco Secure ACS Solution Engine 4.1

x

OL-9969-03

Contents

Varoitus

Attention

TÄRKEITÄ TURVALLISUUTEEN LIITTYVIÄ OHJEITA

Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen
kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja
tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä asiakirjassa esitettyjen varoitusten
käännökset löydät laitteen mukana toimitetuista ohjeista.

Huomautus SÄILYTÄ NÄMÄ OHJEET

Huomautus Tämä asiakirja on tarkoitettu käytettäväksi yhdessä tuotteen mukana tulleen
asennusoppaan kanssa. Katso lisätietoja asennusoppaasta, kokoonpano-oppaasta ja muista
mukana toimitetuista asiakirjoista.

IMPORTANTES INFORMATIONS DE SÉCURITÉ

Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer
des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient
des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment
utilisées pour éviter les accidents. Pour prendre connaissance des traductions d'avertissements
figurant dans cette publication, consultez les consignes de sécurité traduites qui accompagnent cet
appareil.

Remarque CONSERVEZ CES INFORMATIONS

Remarque Cette documentation doit être utilisée avec le guide spécifique d'installation du produit
qui accompagne ce dernier. Veuillez vous reporter au Guide d'installation, au Guide de
configuration, ou à toute autre documentation jointe pour de plus amples renseignements.

Warnung

WICHTIGE SICHERHEITSANWEISUNGEN

Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer
Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie
sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur
Vermeidung von Unfällen bewusst. Übersetzungen der in dieser Veröffentlichung enthaltenen
Warnhinweise sind im Lieferumfang des Geräts enthalten.

Hinweis BEWAHREN SIE DIESE SICHERHEITSANWEISUNGEN AUF

Hinweis Dieses Handbuch ist zum Gebrauch in Verbindung mit dem Installationshandbuch für Ihr
Gerät bestimmt, das dem Gerät beiliegt. Entnehmen Sie bitte alle weiteren Informationen dem
Handbuch (Installations- oder Konfigurationshandbuch o. Ä.) für Ihr spezifisches Gerät.

OL-9969-03

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xi

Contents

Avvertenza

Advarsel

IMPORTANTI ISTRUZIONI SULLA SICUREZZA

Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle
persone. Prima di intervenire su qualsiasi apparecchiatura, occorre essere al corrente dei pericoli
relativi ai circuiti elettrici e conoscere le procedure standard per la prevenzione di incidenti. Per le
traduzioni delle avvertenze riportate in questo documento, vedere le avvertenze di sicurezza che
accompagnano questo dispositivo.

Nota CONSERVARE QUESTE ISTRUZIONI

Nota La presente documentazione va usata congiuntamente alla guida di installazione specifica
spedita con il prodotto. Per maggiori informazioni, consultare la Guida all'installazione, la Guida
alla configurazione o altra documentazione acclusa.

VIKTIGE SIKKERHETSINSTRUKSJONER

Dette varselssymbolet betyr fare. Du befinner deg i en situasjon som kan forårsake personskade.
Før du utfører arbeid med utstyret, bør du være oppmerksom på farene som er forbundet med
elektriske kretssystemer, og du bør være kjent med vanlig praksis for å unngå ulykker. For å se
oversettelser av advarslene i denne publikasjonen, se de oversatte sikkerhetsvarslene som følger
med denne enheten.

Merk TA VARE PÅ DISSE INSTRUKSJONENE

Merk Denne dokumentasjonen skal brukes i forbindelse med den spesifikke
installasjonsveiledningen som fulgte med produktet. Vennligst se installasjonsveiledningen,
konfigureringsveiledningen eller annen vedlagt tilleggsdokumentasjon for detaljer.

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xii

OL-9969-03

Contents

Aviso

¡Advertencia!

INSTRUÇÕES IMPORTANTES DE SEGURANÇA

Este símbolo de aviso significa perigo. O utilizador encontra-se numa situação que poderá ser
causadora de lesões corporais. Antes de iniciar a utilização de qualquer equipamento, tenha em
atenção os perigos envolvidos no manuseamento de circuitos eléctricos e familiarize-se com as
práticas habituais de prevenção de acidentes. Para ver traduções dos avisos incluídos nesta
publicação, consulte os avisos de segurança traduzidos que acompanham este dispositivo.

Nota GUARDE ESTAS INSTRUÇÕES

Nota Esta documentação destina-se a ser utilizada em conjunto com o manual de instalação
incluído com o produto específico. Consulte o manual de instalação, o manual de configuração ou
outra documentação adicional inclusa, para obter mais informações.

INSTRUCCIONES IMPORTANTES DE SEGURIDAD

Este símbolo de aviso indica peligro. Existe riesgo para su integridad física. Antes de manipular
cualquier equipo, considere los riesgos de la corriente eléctrica y familiarícese con los
procedimientos estándar de prevención de accidentes. Vea las traducciones de las advertencias
que acompañan a este dispositivo.

Nota GUARDE ESTAS INSTRUCCIONES

Nota Esta documentación está pensada para ser utilizada con la guía de instalación del producto
que lo acompaña. Si necesita más detalles, consulte la Guía de instalación, la Guía de
configuración o cualquier documentación adicional adjunta.

Varning!

VIKTIGA SÄKERHETSANVISNINGAR

Denna varningssignal signalerar fara. Du befinner dig i en situation som kan leda till personskada.
Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och
känna till vanliga förfaranden för att förebygga olyckor. Se översättningarna av de
varningsmeddelanden som finns i denna publikation, och se de översatta säkerhetsvarningarna som
medföljer denna anordning.

OBS! SPARA DESSA ANVISNINGAR

OBS! Denna dokumentation ska användas i samband med den specifika
produktinstallationshandbok som medföljde produkten. Se installationshandboken,
konfigurationshandboken eller annan bifogad ytterligare dokumentation för närmare detaljer.

OL-9969-03

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xiii

Contents

Documentation Updates

Ta b l e 1 Updates to Installation Guide for Cisco Secure ACS Solution Engine 4.1

Date Description

12/15/2009 • Updated Solution Engine Specifications for the Cisco 1113

• Updated the table ACS SE Technical Specifications for the Cisco 1113

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xiv

OL-9969-03

Product Documentation

Note We sometimes update the printed and electronic documentation after original publication. Therefore,

you should also review the documentation on Cisco.com for any updates.

Table 2 describes the product documentation that is available.

Ta b l e 2 Product Documentation

Document Title Available Formats

Documentation Guide for Cisco Secure ACS
Release 4.1

Release Notes for Cisco Secure ACS Release 4.1 On Cisco.com:

• Shipped with product.

• PDF on the product CD-ROM.

• On Cisco.com at:

http://www.cisco.com/en/US/products/sw/secursw/
ps2086/products_documentation_roadmaps_list.html

Contents

User Guide for Cisco Secure Access Control
Server 4.1

Configuration Guide for Cisco Secure ACS
Release 4.1

Installation Guide for Cisco Secure ACS for
Windows Release 4.1

Installation Guide for Cisco Secure ACS Solution
Engine Release 4.1

Regulatory Compliance and Safety Information
for the Cisco Secure ACS Solution Engine
Release 4.1

Installation and Configuration Guide for Cisco
Secure ACS Remote Agents Release 4.1

Supported and Interoperable Devices and
Software Tables for Cisco Secure ACS Solution
Engine Release 4.1

http://www.cisco.com/en/US/products/sw/secursw/
ps2086/prod_release_notes_list.html

On Cisco.com

http://www.cisco.com/en/US/products/sw/secursw/
ps2086/products_user_guide_list.html

On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
products_installation_and_configuration_guides_list.html

On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/
ps2086/prod_installation_guides_list.html

On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/
ps5338/prod_installation_guides_list.html

• Shipped with product.

• PDF on the product CD-ROM.

• On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/
ps5338/prod_installation_guides_list.html

On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/
ps5338/prod_installation_guides_list.html

On Cisco.com:

http://www.cisco.com/en/US/products/sw/secursw/
ps2086/products_device_support_tables_list.html

OL-9969-03

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xv

Contents

Table 2 Product Documentation (continued)

Document Title Available Formats

Installation and User Guide for Cisco Secure
ACS User-Changeable Passwords

Online Documentation In the ACS HTML interface, click Online Documentation.

Online Help In the ACS HTML interface, online help appears in the right pane when

On Cisco.com at:

http://www.cisco.com/en/US/products/sw/secursw/
ps2086/prod_installation_guides_list.html.html

you are configuring a feature.

Related Documentation

Note We sometimes update the printed and electronic documentation after original publication. Therefore,

you should also review the documentation on Cisco.com for any updates.

A set of white papers about Cisco Secure ACS for Windows is available at:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/prod_white_papers_list.html

Much of the information in these papers is applicable to Cisco Secure ACS Solution Engine.

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. This section explains the
product documentation resources that Cisco offers.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

The Product Documentation DVD is created and released regularly. DVDs are available singly or by
subscription. Registered Cisco.com
DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco
Store at this URL:

http://www.cisco.com/go/marketplace/docstore

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xvi

users can order a Product Documentation DVD (product number

Marketplace at the Product Documentation

OL-9969-03

Ordering Documentation

You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order
Cisco

documentation at the Product Documentation Store at this URL:

http://www.cisco.com/go/marketplace/docstore

If you do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Documentation Feedback

You can provide feedback about Cisco technical documentation on the Cisco Technical Support &
Documentation site area by entering your comments in the feedback form available in every online
document.

Cisco Product Security Overview

Contents

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to:

• Report security vulnerabilities in Cisco products

• Obtain assistance with security incidents that involve Cisco products

• Register to receive security information from Cisco

A current list of security advisories, security notices, and security responses for Cisco products is
available at this

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you
can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS)
feed. Information about how to subscribe to the PSIRT RSS feed is found at this

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

URL:

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them,
and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability
in a Cisco

product, contact PSIRT:

URL:

• For emergencies only — security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
nonemergencies.

• For nonemergencies — psirt@cisco.com

OL-9969-03

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xvii

Contents

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to

encrypt any sensitive information that you send to Cisco. P SIRT ca n wor k with information that has been
encrypted with PGP versions

Never use a revoked encryption key or an expired encryption key. The correct public key to use in your
correspondence with PSIRT is the one linked in the Contact Summary section of the Security
Vulnerability Policy page at this

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT to find other means of encrypting the data before sending
any sensitive material.

2.x through 9.x.

URL:

Product Alerts and Field Notices

Modifications to or updates about Cisco products are announced in Cisco Product Alerts and Cisco Field
Notices. You can receive Cisco Product Alerts and Cisco Field Notices by using the Product Alert Tool
on Cisco.com. This tool enables you to create a profile and choose those products for which you want to
receive information.

To access the Product Alert Tool, you must be a registered Cisco.com user. (To register as a Cisco.com
user, go to this URL:
tool at this URL: https://www.cisco.com/web/siteassets/account/index.html

http://tools.cisco.com/RPF/register/register.do) Registered users can access the

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The
Cisco

Technical Support & Documentation website on Cisco.com features extensive online support
resources. In addition, if you have a valid Cisco
(TAC) engineers provide telephone support. If you do not have a valid Cisco
your reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for
troubleshooting and resolving technical issues with Cisco
available 24

http://www.cisco.com/techsupport

hours a day at this URL:

service contract, Cisco Technical Assistance Center

products and technologies. The website is

service contract, contact

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xviii

OL-9969-03

Contents

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com
user ID and password. If you have a valid service contract but do not have a user ID or password, you
can register at this

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification Tool to locate your product serial number before submitting a

request for service online or by phone. You can access this tool from the Cisco
Documentation website by clicking the Tools & Resources link, clicking the All Tools (A-Z) tab, and
then choosing Cisco
options: by product ID or model name; by tree view; or, for certain products, by copying and pasting
show command output. Search results show an illustration of your product with the serial number label
location highlighted. Locate the serial number label on your product and record the information before
placing a service call.

Tip Displaying and Searching on Cisco.com

If you suspect that the browser is not refreshing a web page, force the browser to update the web page
by holding down the Ctrl key while pressing F5.

To find technical information, narrow your search to look in technical documentation, not the entire
Cisco.com website. On the Cisco.com home page, click the Advanced Search link under the Search box
and then click the Technical Support & Documentation radio button.

To provide feedback about the Cisco.com website or a particular technical document, click Contacts &
Feedback at the top of any Cisco.com web page.

URL:

Technical Support &

Product Identification Tool from the alphabetical list. This tool offers three search

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and
S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco

engineers are assigned immediately to S1 and S2 service requests to help keep your business

operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411
Australia: 1 800 805 227
EMEA: +32 2 704 55 55
USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

OL-9969-03

Service Request Tool provides

engineer. The TAC Service Request Tool is located at this URL:

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xix

Contents

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.

Severity 1 (S1)—An existing network is “down” or there is a critical impact to your business operations.
Yo u a nd C i sco

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operations are negatively affected by inadequate performance of Cisco
Cisco

will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired while most business operations
remain functional. You and Cisco
to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.

will commit all necessary resources around the clock to resolve the situation.

will commit resources during normal business hours to restore service

Obtaining Additional Publications and Information

products. You and

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.

• The Cisco Online Subscription Center is the website where you can sign up for a variety of

Cisco

e-mail newsletters and other communications. Create a profile and then select the
subscriptions that you would like to receive. To visit the Cisco Online Subscription Center,
go

to this URL:

http://www.cisco.com/offer/subscribe

• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief

product overviews, key features, sample part numbers, and abbreviated technical specifications for
many Cisco
the latest Cisco channel product offerings. To order and find out more about the Cisco
Reference Guide, go to this URL:

http://www.cisco.com/go/guide

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo

merchandise. Visit Cisco

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training, and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco
information, go to Cisco

http://www.ciscopress.com

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this

products that are sold through channel partners. It is updated twice a year and includes

Product Quick

Marketplace, the company store, at this URL:

Press titles and other

Press at this URL:

URL:

http://www.cisco.com/ipj

• Networking products offered by Cisco Systems, as well as customer support services, can be

obtained at this

http://www.cisco.com/en/US/products/index.html

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xx

URL:

OL-9969-03

Contents

• Networking Professionals Connection is an interactive website where networking professionals

share questions, suggestions, and information about networking products and technologies with
Cisco

experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

• “What’s New in Cisco Documentation” is an online publication that provides information about the

latest documentation releases for Cisco products. Updated monthly, this online publication is
organized by product category to direct you quickly to the documentation for your products. You
can view the latest release of “What’s New in Cisco Documentation” at this URL:

http://www.cisco.com/univercd/cc/td/doc/abtunicd/136957.htm

• World-class networking training is available from Cisco. You can view current offerings at

this

URL:

http://www.cisco.com/en/US/learning/index.html

OL-9969-03

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xxi

Contents

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xxii

OL-9969-03

Cisco 90-Day Limited Hardware Warranty Terms

There are special terms applicable to your hardware warranty and various services that you can use
during the warranty period. Your formal Warranty Statement, including the warranties and license
agreements applicable to Cisco software, is available on Cisco.com. Follow these steps to access and
download the Cisco Information Packet and your warranty and license agreements from Cisco.com.

1. Launch your browser, and go to this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/cetrans.htm

The Warranties and License Agreements page appears.

2. To read t h e Cisco Information Packet, follow these steps:
a. Click the Information Packet Number field, and make sure that the part number

78-5235-03B0 is highlighted.

b. Select the language in which you would like to read the document.
c. Click Go.

The Cisco Limited Warranty and Software License page from the Information Packet appears.

d. Read the document online, or click the PDF icon to download and print the document in Adobe

Portable Document Format (PDF).

Note You must have Adobe Acrobat Reader to view and print PDF files. You can download

the reader from Adobe’s website: http://www.adobe.com

3. To read translated and localized warranty information about your product, follow these steps:
a. Enter this part number in the Warranty Document Number field:

78-5236-01C0

b. Select the language in which you would like to read the document.
c. Click Go.

The Cisco warranty page appears.

d. Review the document online, or click the PDF icon to download and print the document in

Adobe Portable Document Format (PDF).

You can also contact the Cisco service and support website for assistance:

http://www.cisco.com/public/Support_root.shtml.

OL-9969-03

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xxiii

Cisco 90-Day Limited Hardware Warranty Terms

Duration of Hardware Warranty

Ninety (90) days.

Replacement, Repair, or Refund Policy for Hardware

Cisco or its service center will use commercially reasonable efforts to ship a replacement part within ten
(10) working days after receipt of a Return Materials Authorization (RMA) request. Actual delivery
times can vary, depending on the customer location.

Cisco reserves the right to refund the purchase price as its exclusive warranty remedy.

To Receive a Return Materials Authorization (RMA) Number

Contact the company from whom you purchased the product. If you purchased the product directly from
Cisco, contact your Cisco Sales and Service Representative.

Complete the information below, and keep it for reference:

Company product purchased from

Company telephone number

Product model number

Product serial number

Maintenance contract number

Installation Guide for Cisco Secure ACS Solution Engine 4.1

xxiv

OL-9969-03

Cisco Secure ACS Solution Engine Overview

System Description

Cisco Secure ACS Solution Engine (ACS SE) is a highly scalable, rack-mounted, dedicated platform that
serves as a high-performance access control server supporting centralized Remote Access Dial-In User
Service (RADIUS) and Terminal Access Controller Access Control System (TACACS+). ACS SE
controls the authentication, authorization, and accounting (AAA) of users accessing corporate resources
through the network.

You use ACS SE to control who can access the network, to authorize what types of network services are
available for particular users or groups of users, and to keep an accounting record of all user actions in
the network. The appliance supports access control and accounting for dial-up access servers, firewalls
and VPNs, Voice-over-IP solutions, content networking, and switched and wireless local area networks
(LANs and WLANs). In addition, you can use the same AAA framework, via TACACS+, to manage
administrative roles and groups and to control how network administrators change, access, and configure
the network internally.

ACS SE provides almost the same set of features and functions as in the Cisco Secure ACS for Windows
Server (the software product) in a dedicated, security hardened, application-specific, appliance
packaging. ACS SE includes additional features specific to operating and managing the ACS appliance.
See Release Notes for Cisco Secure ACS 4.1 for the new features in this release.

To ensure a highly secure posture, ACS SE:

CHAPTER

1

• Runs only the necessary services of the underlying hardened Windows operating system. (See

Appendix B, “Windows Service Advisement,” for details on the hardening.)

• Does not support a keyboard or monitor.

• Does not provide access to its file system.

• Does not allow you to run arbitrary applications on it.

• Allows TCP/IP connections only via the ports necessary for its own operations.

OL-9969-03

Installation Guide for Cisco Secure ACS Solution Engine 4.1

1-1

ACS SE Hardware Description

78230

Network

Cisco Secure

ACS Appliance

External User

Database(s)

Serial Port

Connection

HTTPS

Radius or

TACAS+

Encrypted

TCP

Encrypted

TCP

FTP

Administrative

Console

Administrative

HTML Interface

AAA clients

Solaris Server with

Solaris Remote Service

Windows Server with

Windows Remote Service

FTP Server

Figure 1-1 shows the ACS SE operating context.

Figure 1-1 ACS SE Context Diagram

Chapter 1 Cisco Secure ACS Solution Engine Overview

The administrative console in the context diagram represents any data terminal equipment (DTE)
capable of supporting administrative connection via a serial port connection and is generally referred to
as a console in this guide.

For more detailed information on ACS SE features and capabilities, see the User Guide for Cisco Secure
ACS Release 4.1 and the Release Notes for Cisco Secure ACS Solution Engine.

ACS SE Hardware Description

ACS SE is a rack-mountable 1U box. The sections below describe the Cisco 1113 device, which runs on
a Quanta S27 system.

Serial Port

Serial Port Connector

1-2

The integrated serial port on the back panel of the appliance uses a 9-pin, D-subminiature connector.

If you reconfigure your hardware, you may need information regarding the pin number and signal for
the serial port connector.
the pin assignments and interface signals for the serial port connector. (Pin numbering proceeds bottom
to top and right to left, as illustrated.)

Installation Guide for Cisco Secure ACS Solution Engine 4.1

Figure 1-4 illustrates the pin numbers for the serial port connector, and defines

OL-9969-03

Chapter 1 Cisco Secure ACS Solution Engine Overview

Solution Engine Specifications for the Cisco 1113

The ACS SE on the Cisco 1113 platform has the following specifications:

• Intel Pentium IV 3.4 GHz/800FSB/2M KB CPU

• Broadcom 5721J Ethernet network interface card

• 80-GB or more ATA hard drive

• QSI DVD-ROM drive

• Serial port

• 1 GB DDRII 667 unbuffered memory

• DVD-Combo drive

• 345 W power supply

Technical specifications are detailed in Appendix A, “Technical Specifications for the Cisco 1113.”

This section contains:

• Front Panel Features for the Cisco 1113, page 1-3

• Back Panel Features for the Cisco 1113, page 1-5

ACS SE Hardware Description

• Serial Port, page 1-2

• Ethernet Connectors, page 1-7

• Network Cable Requirements, page 1-7

Front Panel Features for the Cisco 1113

The Cisco 1113 front panel contains switches, indicators, and the CD-ROM drive. Figure 1-2 shows the
front panel switches and LED indicators. The functions of the switches and LED indicators are described
in the table below the illustration.

OL-9969-03

Installation Guide for Cisco Secure ACS Solution Engine 4.1

1-3

ACS SE Hardware Description

149998

1

2

3

4

5

6

CISC

O 1190

BUILDING BR

OADBA

ND SERVICE M

ANAG

ER

7

Figure 1-2 Front Panel Switches and Indicators for the Cisco 1113

Chapter 1 Cisco Secure ACS Solution Engine Overview

The following table describes the callouts in Figure 1-2.

No. Switch or LED Indicator Description
1 DVD-ROM drive activity LED On = Activity

Off = No Activity

2 Power On/Off button and LED Pushing the power button turns the unit on or off. The LED

in the center of the power On/Off button has three states:

Blinking Green = Power is connected but not on
Green = Power On
Off = Power Off

3 Unused button This button is not operational.
4 HDD LED Indicates that there is activity on the hard drive.

Installation Guide for Cisco Secure ACS Solution Engine 4.1

1-4

OL-9969-03

Chapter 1 Cisco Secure ACS Solution Engine Overview

No. Switch or LED Indicator Description
5 Unit Identification Button To enable the Unit Identification LED, push the Unit

6 Unit Identification LED The Unit Identification LED has the following states:

ACS SE Hardware Description

Identification Button.

When the Unit identification button is on, the Unit
Identification LEDs on the front and back panels flash
blue. This enables you to go behind the unit and look at the
flashing blue light on the back You can turn off the flashing
LED on the back of the unit off by pressing the Unit
Identification button on the back panel.

To turn off the Unit Identification LED, when the LED is
on, push the Unit Identification Button.

Off = System power is off, the system ID button has not
been pushed, and there is no fault assertion condition (the
system cover is on the device and there is no fault
condition).

Flashing Blue = When the system ID button is pushed, the
Unit Identification LED flashes blue if the system is in
either standby mode or system power is on.

Solid Blue = System power is on, the system cover is on the
device, and there is no fault assertion condition. The
system ID button has not been pushed.

7 USB port (not supported) Universal Serial Bus port. Do not use.

Back Panel Features for the Cisco 1113

The back panel for the Cisco 1113 contains the AC power receptacle, Ethernet connectors, indicator
LEDs, and a serial port.

Figure 1-3 shows the back-panel features.

Flashing Amber = The system is on standby power, there
is a fault assertion condition (for example, the cover has
been removed from the device), and the system ID button
has not been pushed.

OL-9969-03

Installation Guide for Cisco Secure ACS Solution Engine 4.1

1-5

ACS SE Hardware Description

149999

1

2

2

1

Gb

1

9

8

7

2

3

4

5

6

Figure 1-3 Back Panel Features for the Cisco 1113

The following table describes the callouts in Figure 1-3.

Chapter 1 Cisco Secure ACS Solution Engine Overview

Serial Port

No. Description
1 AC power receptacle
2 Mouse connector (not supported). Do not use.
3 USB connectors (not supported). Do not use.
4 Serial connector (see Figure 1-3)
5 Video connector (not supported). Do not use.
6 RJ-45 Fast Ethernet connector with

10/100/1000-Mbit/s operation for NIC 2

7 RJ-45 Fast Ethernet connector with

10/100/1000-Mbit/s operation for NIC 1

8 Unit Identification Button and LED. When the

Unit Identification Button on the front panel is
pressed, this causes the Unit Identification
Button on the back panel to flash blue. To turn
off the Unit Identification indicator on the
back panel, push the Unit Identification
button.

9 Keyboard connector

The integrated serial port on the back panel of the appliance uses a 9-pin, D-subminiature connector.

Serial Port Connector

If you reconfigure your hardware, you may need information regarding the pin number and signal for
the serial port connector.
the pin assignments and interface signals for the serial port connector. (Pin numbering proceeds bottom
to top and right to left, as illustrated.)

Installation Guide for Cisco Secure ACS Solution Engine 4.1

1-6

Figure 1-4 illustrates the pin numbers for the serial port connector, and defines

OL-9969-03